Data Processing Agreement

1. Definitions

Controller: The entity that determines the purposes and means of processing personal data (typically the Client).

Processor: The entity that processes personal data on behalf of the Controller (Anton Payments).

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Data Subject: The natural person to whom personal data relates.

Applicable Data Protection Laws: The GDPR, CCPA, and other applicable data protection and privacy laws.

2. Scope and Roles

This DPA applies to all processing of personal data by Anton Payments on behalf of the Client in connection with the provision of payment processing services.

Client as Controller: The Client acts as the Controller of personal data relating to its customers, payees, and other data subjects whose data is processed through our Services.

Anton Payments as Processor: Anton Payments acts as a Processor (and in some cases, a sub-processor) when processing personal data on behalf of the Client in connection with the Services.

Joint Controllers: In certain circumstances, both parties may act as joint controllers. In such cases, the parties will enter into a separate arrangement governing their respective responsibilities.

3. Processing of Personal Data

Purpose of Processing: Anton Payments will process personal data solely for the purpose of providing the Services to the Client, as described in the applicable Service Order or Statement of Work, and in accordance with the Client's documented instructions.

Categories of Personal Data: The personal data processed may include:

• Identity information (name, date of birth, government-issued ID numbers)
• Contact information (email, phone, address)
• Financial information (bank account details, payment card information, transaction data)
• Business information (company name, tax ID, business registration details)
• Technical information (IP address, device identifiers, usage data)
• Compliance information (KYC/KYB documentation, verification status)

Categories of Data Subjects: Personal data may relate to:

• Client's customers and end users
• Payees and payment recipients
• Client's employees and authorized users
• Referral partners and affiliates

Duration of Processing: Personal data will be processed for the duration of the Services and in accordance with our data retention policies and legal obligations.

4. Client Instructions and Compliance

Anton Payments will process personal data only in accordance with:

• The Client's documented instructions, as set forth in the applicable Service Order or as otherwise agreed in writing
• This DPA and the underlying Terms of Service or Master Services Agreement
• Applicable Data Protection Laws

Client Instructions: The Client will provide clear, documented instructions regarding the processing of personal data. If Anton Payments believes that an instruction violates Applicable Data Protection Laws, Anton Payments will inform the Client and may refuse to carry out the instruction until it is clarified or modified.

Compliance: The Client represents and warrants that:

• It has the legal basis and authority to process the personal data
• It has obtained all necessary consents and authorizations from data subjects
• Its instructions comply with Applicable Data Protection Laws
• It will not instruct Anton Payments to process personal data in a manner that violates Applicable Data Protection Laws

5. Security Measures

Anton Payments will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration, including:

• Encryption: Data encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles
• Network Security: Firewalls, intrusion detection, and DDoS protection
• Security Monitoring: Continuous monitoring, logging, and incident response
• Compliance: PCI DSS Level 1, SOC 2 Type II, ISO 27001
• Employee Training: Regular security awareness training and background checks
• Vulnerability Management: Regular security assessments and penetration testing
• Data Backup: Regular backups with point-in-time recovery capabilities

Anton Payments will regularly review and update these security measures to ensure their continued effectiveness.

6. Sub-Processors

Authorization: The Client generally authorizes Anton Payments to engage sub-processors to assist in providing the Services, provided that:

• Anton Payments maintains a list of sub-processors (available upon request)
• Anton Payments enters into written agreements with sub-processors that impose data protection obligations no less protective than those in this DPA
• Anton Payments remains fully liable for the performance of sub-processors

Notification: Anton Payments will notify the Client of any intended changes to sub-processors. The Client may object to new sub-processors within 30 days of notification. If the parties cannot resolve the objection, the Client may terminate the affected Services.

Common Sub-Processors: Sub-processors may include cloud hosting providers, payment processors, identity verification services, analytics providers, and customer support platforms.

7. Data Subject Rights

Anton Payments will assist the Client in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

Assistance: Anton Payments will provide reasonable assistance to the Client in responding to data subject requests, including by providing tools and functionality within the Services to enable the Client to respond to such requests.

Direct Requests: If Anton Payments receives a data subject request directly, it will forward the request to the Client and will not respond directly unless required by law.

8. Data Breach Notification

Notification Obligation: Anton Payments will notify the Client without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach that affects personal data processed on behalf of the Client.

Breach Information: The notification will include, to the extent available:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

Assistance: Anton Payments will provide reasonable assistance to the Client in connection with any data breach, including in preparing any required notifications to data subjects or supervisory authorities.

9. Data Transfers

International Transfers: Personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom, including the United States.

Transfer Mechanisms: Anton Payments will ensure that appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Other legally recognized transfer mechanisms

Sub-Processor Transfers: Anton Payments will ensure that sub-processors also implement appropriate transfer mechanisms when processing personal data outside the EEA or UK.

10. Data Retention and Deletion

Retention: Anton Payments will retain personal data only for as long as necessary to provide the Services or as required by law, regulation, or our data retention policies.

Deletion: Upon termination of the Services or upon the Client's written request, Anton Payments will delete or return all personal data to the Client, unless retention is required by law. Deletion will be completed within 90 days of termination or request, unless a longer retention period is required by law.

Backup Data: Personal data may remain in backup systems for a reasonable period after deletion, but will not be actively processed except as required for disaster recovery purposes.

11. Audits and Compliance

Audit Rights: The Client may, upon reasonable notice and during normal business hours, audit Anton Payments' compliance with this DPA, subject to:

• Confidentiality obligations
• Reasonable limitations on frequency (no more than once per year, unless required by regulation)
• Reimbursement of reasonable costs incurred by Anton Payments
• Use of independent third-party auditors where appropriate

Certifications: Anton Payments maintains various security and compliance certifications (PCI DSS, SOC 2, ISO 27001) and will provide summary reports of such certifications upon request.

12. Liability and Indemnification

Each party's liability for breaches of this DPA will be subject to the limitations and exclusions set forth in the underlying Terms of Service or Master Services Agreement.

The Client will indemnify Anton Payments against any claims, damages, or expenses arising from:

• The Client's violation of Applicable Data Protection Laws
• The Client's failure to obtain necessary consents or authorizations
• The Client's instructions that violate Applicable Data Protection Laws

13. General Provisions

Governing Law: This DPA is governed by the laws specified in the underlying Terms of Service or Master Services Agreement, except that data protection provisions will be interpreted in accordance with Applicable Data Protection Laws.

Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions will remain in full force and effect.

Modifications: This DPA may only be modified by written agreement signed by both parties.

14. Contact

For questions about this DPA or data protection matters, please contact:

Anton Payments, Inc.
Data Protection Officer
Email: [email protected]
Legal: [email protected]